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About me 


@Nick Shadrin 


@20 years in web 
O NetScaler 
O Zscaler 


03 years at NGINX 


© Started in Sales Engineering 
O Launched NGINX Unit with Igor and Valentin 
O Now architecting control and management tools 


@tg: @nshadrin 


HTTP/3 presentation agenda 


eHistory of protocols 
O Main differences 
© Challenge of upgrading to h2 
@QUIC and HTTP/3 features 
©UDP 
O Connection ID 
O Encryption 
@Real world implementation 


@Our favorite part: Q&A 


Basics 


GET /test HTTP/1.1 

Host: example.com 

User-Agent: Mozilla 
X-Forwarded-For: 192.168.10.1 
Accept: image/gif, image/jpeg, */* 
Accept-Language: en-us 
Accept-Encoding: gzip, deflate 


HTTP/1.1 301 Moved Permanently 
Server: unit/1.9 

Date: Thu, 18 Jul 2019 21:19:07 GMT 
Content-Type: text/html 
Content-Length: 184 

Connection: close 

Location: https://example.com/test 


A Brief History of HTTP 


HTTP/0.9 
HTTP/1.0 


HTTP/1.1 


HTTP/2.0 


HTTP/3.0 


1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 $2014 #2016 #2018 2020 2022 


HTTP/1. 1 C. 1907 Web browser makes 


GET /about.html several parallel requests 
Host: www.example.com for page contents: 


html, images, style, JS 


Each on a new TCP 
connection 
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HTTP/2 C. 2 O 1 D Web browser makes one 


TCP connection with 
requests for all page 


contents within HTTP/2 (in 


We Internet Peara Origins 
browser proxy J 


HTTP/3 C. 2022 Web browser makes one 


QUIC connection with 
requests for all page 
contents using HTTP/3 


Mée Internet ree Origin 
browser proxy IQINS 


HTTP stacks 


GET /about.html 
Host: www.example.com 


Web browser makes several 
TCP connections to request 
page contents: 
html, images, style, JS 


Web browser makes one 
TCP connection with 
requests for all page 

contents in HTTP/2 streams 
(in binary). 


Web browser makes one 
QUIC connection with 
requests for all page 

contents using HTTP/3 
semantics. 


Reality of HTTP deployment 


Reusing keepalive 


connections 


kl 


Client Internet 


Don't turn off HTTP/1! 


Benefits 


@Less reliance on kernel 

e Built-in encryption 

@Connection ID: migrate connections 
@Faster negotiation* 
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Negotiation history 


@HTTP to HTTPS: 3xx redirect, Meta, JavaScript 

@HITP to HTTPS: HSTS headers 

@HTTP(s)/1 to Websocket: Upgrade header 

@HTTP/1 to HITP/2: Upgrade header, NPN & ALPN via TLS 
@HTTP/{1,2} to HTTP/3: Alt-Svc header 


Alt-Svc examples 


Alt-Svc: h2="new.example.com:443"; ma=86400; 
Alt-Svc: h3="newest.example.com:50/781"; ma=86400; 
Alt-Svc: h3=":50781"; ma=86400; 


Servers MAY serve HTTP/3 on any UDP port, since an alternative always 
includes an explicit port. 


HTTP/3 version negotiation 


| don't know you, but | assume you support TLS over TCP 


| sure do, you can use HT TP/1 or HT TP/2 


(key exchange and encrypted session setup) 


: Cd ee HTTP/1.1 200 OK 
Here's my first HTTP request: GET / HTTP/1.1 EEN 


Date: Tue, 22 Nov 2622 18:06:26 
Content-Type: text/html 
HTTP/1.1 200 OK teen 
ee e 4 Alt-Svc: h3=":443" 


— emmer 


Here's a UDP packet on port 443, let's talk QUIC 


(key exchange and encrypted session setup) 


Here's my next HTTP request: GET /style.css HTTP/3.0 
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HTTP/3 optimistic negotiation 


| don't know you, but | assume you support TLS over TCP 


Maybe you also support QUIC, so here’s a UDP packet 


(key exchange and encrypted session setup) 


Here's my first HT T P/S frame: GET / HTTP/3.0 
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Is this the real world? 
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Real world Is more like this 
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But really, this 


Infrastructure Challenges 


@Hardware is tuned for old protocols 

@Slow upgrade cycles 

@Boxes are not yours 

@Regquires significant effort between major Internet 


entities 
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Server Engineer Challenges 


@UDP stack Is not optimized 
@Need to reimplement features of TCP 


@Complicated multiprocessing 
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Tooling Challenges 


eNo plaintext version 
eMinimal debug tools 
@No visibility / monitoring 
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Security Challenges 


@UDP is not trusted due to lots of recent “misuse” 
@0-RIT replay and misconfiguration 

@Need to design new security devices 

@Conspiracy theories: Google owns both ends of HTTP/3 
@Agility of the protocol 


OOverheard yesterday: I’m a bit chaotic, but let’s say “agile” 
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HTTP/3 with NGINX 


e loday: separate branch 
OHowto at quic.nginx.org 


@Soon: in mainline 
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NGINX configuration: HTTP/1 (with TLS) 


/etc/nginx/conf.d./proxy.conf 


1 server { 

2 Listen 443 ssl; # TCP Listener for HTTP/1 
3 

4 

5 ssl protocols eS?” ES Ee 

6 ssl certificate SSl/www.example.com.crt; 
7 ssl certificate key ssl/www.example.com.key; 
8 

9 proxy pass http://my backend; 

10 
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NGINX configuration: HTTP/2 


/etc/nginx/conf.d./proxy.conf 


1 server { 
2 listen 443 ssl http2; —— # TCP listener for HTTP/1 and HTTP/2 
3 

4 

5 

6 

7 

8 

9 

10 
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NGINX configuration: HTTP/3 


/etc/nginx/conf.d./proxy.conf 


server { 
listen 443 ssl http2; # TCP listener for HTTP/1 and HITP/2 
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Summary 


HTTP/1 is not going away 


HI TP/2 is already the standard 
for internet-facing web services 


QUIC+HTTP/3 addresses many 
of HT T P/2 challenges 


(ever!) 


Still well-suited for backends and 
application runtime 


but it failed to deliver on its promises, 
and were still fixing It! 


otart testing now, 


but expect to be Internet-facing-only for 
some time 


Must read 


@daniel.haxx.se/http3- 
explained/ 
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Leave your feedback! 


ive a feedback on 
you've liked or 
EE be 


g 


You can rate the talk 
what 


and 
Improve 


what 


EE 
dhe ob oe he oh he of 
+X+4+4444 


re se le Er 


XEXE HHHH 


pr 
Ade 


